Facebook, long a lightning rod for criticism for lax privacy controls, is being hammered again, this time for a loophole that lets a person be added to a discussion group by a friend without the user's permission.

At the heart of the controversy are two gay college students who reportedly had their sexual preference inadvertently exposed to hundreds of Facebook friends.

A Facebook spokesman deflected any blame pointed in the company’s direction.

"Our hearts go out to these young people," he said. "Their unfortunate experience reminds us that we must continue our work to empower and educate users about our robust privacy controls."

The University of Texas in Austin students had been careful to keep their parents from knowing about their same-sex lifestyles. But they lost control of their secrets when the president of the Queer Chorus, a choir group they joined, inadvertently exposed their homosexuality to hundreds of Facebook friends by adding them to a Facebook discussion group, according to The Wall Street Journal .

It occurred despite the fact that both were seasoned Facebook users who had tried to use Facebook's privacy settings to shield some of their activities from their parents.

Here’s how it happened.

The choir group leader created a 'group' on Facebook around a shared interest or activity. He set it to be "open," meaning other Facebook users could see its membership and activities, as opposed to two other more locked-down options -- “secret,” which hides membership and discussions from non-members, or "closed," which lets anyone see who’s in the group, but not what they're posting.

After he added the two students who were Facebook friends to the group, Facebook generated a notice that appeared on the two students’ friends' Facebook pages -- alerting them to their membership.

While people added to a group this way can always leave, they are first added by default.

The fallout: one father left nasty phone messages and threatened to sever family ties and another didn’t speak to his son for three weeks.

Discussion groups aren’t the only privacy issues Facebook is facing.

Independent security researcher Suriya Prakesh recently published a blog post in which he claimed that "98 percent of your phone numbers [on Facebook] are not safe." In the post, Prakesh demonstrated that a brute-force attack could be used to lookup sequential phone numbers on Facebook and match them with their respective user names.

PCWorld also recently reported that Facebook is working with Datalogix, a company based in Colorado that specializes in collecting data from retailers using customer loyalty cards and linking those purchases to future advertising campaigns. Datalogix links loyalty card holders to their Facebook accounts using shared information, such as email addresses, although the information is anonymized, the report said.

At issue is the fact that Facebook reached an agreement with the Federal Trade Commission in November 2011 after the agency charged the site was repeatedly sharing information that users believed was kept private. Under the settlement terms, Facebook admitted no guilt but agreed to obtain users’ consent before sharing their information beyond their established privacy settings.

And in Europe, regulators have cracked down on Facebook's facial recognition feature because of privacy concerns. The European Union has stricter privacy regulations than the United States, where Facebook has been criticized and sued but not censured for its lax privacy policies.

Facebook, in turn, last month said it would shut off the feature in Europe and delete the millions of European photos it's collected over the years by Oct. 15.